Malware Reversing: Insomnia

Converted from Blogger. Please excuse any layout errors!
Insomnia is a .NET framework Windows PE commanded through IRC that has been around for quite a few years. It has been updated and sold online for $30-$50. I came across this sample, and ran it inside of Cuckoo sandbox. Cuckoo indicated it was part of an IRC botnet, so I immediately started to pick it apart.

Reversing Insomnia

Notable Strings:$: strings 0d2df9914ff16053817a2d31b4ccdb0e2113dc96d1c499465c0be65444cd3538 | grep 'CorExeMain'
_CorExeMain
"When a .NET executable loads, its entry point is usually a tiny stub of code. That stub just jumps to an exported function in MSCOREE.DLL (_CorExeMain or _CorDllMain)" (http://a5.tf/Dbg)

The mainChannel and botNick strings were enough to give away it was joining an IRC server.

Because of the indicator that the executable was .NET framework. I switched over to DotPeak,

Insomnia Functions

DotPeek was very informative because it was able to disassemble the sample. The source code became cleartext, and I was able to fully understand what the sample was doing. The code was extremely well written compared to other samples I have seen.

I was able to export the sample from DotPeek into Visual Studio 2013, and begin to start debugging and reversing.

There is a snippet of code in Config.cs with all of the customizable configurations :

Results:Disassembling and reversing the encryption leads to a domain name which hosts the IRC server. Most of the server names are using a dynamic dns service like no-ip or dyndns.
We can connect to the IRC and start issuing commands, like in my other entry, To Catch a Hacker.